Skip to content

Add config option turn_shared_secret_path#17690

Merged
anoadragon453 merged 2 commits into
element-hq:developfrom
V02460:turn_shared_secret_path
Sep 10, 2024
Merged

Add config option turn_shared_secret_path#17690
anoadragon453 merged 2 commits into
element-hq:developfrom
V02460:turn_shared_secret_path

Conversation

@V02460
Copy link
Copy Markdown
Contributor

@V02460 V02460 commented Sep 10, 2024

Add the config option turn_shared_secret_path and accompanying docs. The config allows Synapse to read the TURN shared secret from a file. The code was shamelessly adapted from the implementation of registration_shared_secret_path.

Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@V02460 V02460 requested a review from a team as a code owner September 10, 2024 16:33
@github-actions github-actions Bot deployed to PR Documentation Preview September 10, 2024 16:34 Active
anoadragon453
anoadragon453 approved these changes Sep 10, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

(This will also be useful to NixOS users 😊)

Comment thread docs/usage/configuration/config_documentation.md Outdated
@anoadragon453 anoadragon453 enabled auto-merge (squash) September 10, 2024 17:05
@github-actions github-actions Bot deployed to PR Documentation Preview September 10, 2024 17:06 Active
@anoadragon453 anoadragon453 merged commit e06e3c4 into element-hq:develop Sep 10, 2024
devonh pushed a commit that referenced this pull request Feb 25, 2025
@V02460
Add --no-secrets-in-config command line option (#18092)
2159b38 
Adds the `--no-secrets-in-config` command line option that makes Synapse
reject all configurations containing keys with in-line secret values.
Currently this rejects

- `turn_shared_secret`
- `registration_shared_secret`
- `macaroon_secret_key`
- `recaptcha_private_key`
- `recaptcha_public_key`
- `experimental_features.msc3861.client_secret`
- `experimental_features.msc3861.jwk`
- `experimental_features.msc3861.admin_token`
- `form_secret`
- `redis.password`
- `worker_replication_secret`

> [!TIP]
> Hey, you! Yes, you! 😊 If you think this list is missing an item,
please leave a comment below. Thanks :)

This PR complements my other PRs[^1] that add the corresponding `_path`
variants for this class of config options. It enables admins to enforce
a policy of no secrets in configuration files and guards against
accident and malice.

Because I consider the flag `--no-secrets-in-config` to be
security-relevant, I did not add a corresponding `--secrets-in-config`
flag; this way, if Synapse command line options are appended at various
places, there is no way to weaken the once-set setting with a succeeding
flag.

[^1]: [#17690](#17690),
[#17717](#17717),
[#17983](#17983),
[#17984](#17984),
[#18004](#18004),
[#18090](#18090)


### Pull Request Checklist

<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->

* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
  - Use markdown where necessary, mostly for `code blocks`.
  - End with either a period (.) or an exclamation mark (!).
  - Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html) is
correct
(run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anoadragon453 anoadragon453 anoadragon453 approved these changes

Assignees

No one assigned

Labels

A-Config

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@V02460 @anoadragon453 @MadLittleMods